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Status of this Memo 


This document provides information for the Internet community. This 
memo does not specify an Internet standard of any kind. Distribution 
of this memo is unlimited. 


1. INTRODUCTION 


The authentication requirements of computing systems and network 
protocols vary greatly with their intended use, accessibility, and 
their network connectivity. This document describes a spectrum of 
authentication technologies and provides suggestions to protocol 
developers on what kinds of authentication might be suitable for some 
kinds of protocols and applications used in the Internet. It is 
hoped that this document will provide useful information to 
interested members of the Internet community. 


Passwords, which are vulnerable to passive attack, are not strong 
enough to be appropriate in the current Internet [CERT94]. Further, 
there is ample evidence that both passive and active attacks are not 
uncommon in the current Internet [Bellovin89, Bellovin92, Bellovin93, 
CB94, Stoll90]. The authors of this paper believe that many 
protocols used in the Internet should have stronger authentication 
mechanisms so that they are at least protected from passive attacks. 
Support for authentication mechanisms secure against active attack is 
clearly desirable in internetworking protocols. 


There are a number of dimensions to the internetwork authentication 
problem and, in the interest of brevity and readability, this 
document only describes some of them. However, factors that a 
protocol designer should consider include whether authentication is 
between machines or between a human and a machine, whether the 
authentication is local only or distributed across a network, 
strength of the authentication mechanism, and how keys are managed. 
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DEFINITION OF TERMS 


This section briefly defines some of the terms used in this paper to 
aid the reader in understanding these suggestions. Other references 
on this subject might be using slightly different terms and 
definitions because the security community has not reached full 
consensus on all definitions. The definitions provided here are 
specifically focused on the matters discussed in this particular 
document. 


Active Attack: An attempt to improperly modify data, gain 
authentication, or gain authorization by inserting false 
packets into the data stream or by modifying packets 
transiting the data stream. (See passive attacks and replay 
attacks.) 


Asymmetric Cryptography: An encryption system that uses different 
keys, for encryption and decryption. The two keys have an 
intrinsic mathematical relationship to each other. Also 
called Public” Key” Cryptography. (See Symmetric Cryptography) 


Authentication: The verification of the identity of the source of 
information. 


Authorization: The granting of access rights based on an 
authenticated identity. 


Confidentiality: The protection of information so that someone not 
authorized to access the information cannot read the 
information even though the unauthorized person might see the 
information’s container (e.g., computer file or network 
packet). 


Encryption: A mechanism often used to provide confidentiality. 


Integrity: The protection of information from unauthorized 
modification. 


Key Certificate: A data structure consisting of a public key, the 
identity of the person, system, or role associated with that 
key, and information authenticating both the key and the 
association between that identity and that public key. The 
keys used by PEM are one example of a key certificate 
[Kent 93]. 


Passive Attack: An attack on an authentication system that inserts 
no data into the stream, but instead relies on being able to 
passively monitor information being sent between other 
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parties. This information could be used a later time in what 
appears to be a valid session. (See active attack and replay 
attack.) 


Plain-text: Unencrypted text. 


Replay Attack: An attack on an authentication system by recording 
and replaying previously sent valid messages (or parts of 
messages). Any constant authentication information, such as a 
password or electronically transmitted biometric data, can be 
recorded and used later to forge messages that appear to be 
authentic. 


Symmetric Cryptography: An encryption system that uses the same key 
for encryption and decryption. Sometimes referred to as 
Secret’ Key Cryptography. 


3. AUTHENTICATION TECHNOLOGIES 


There are a number of different classes of authentication, ranging 
from no authentication to very strong authentication. Different 
authentication mechanisms are appropriate for addressing different 
kinds of authentication problems, so this is not a strict 
hierarchical ordering. 


3.1 No Authentication 


For completeness, the simplest authentication system is not to 
have any. A non-networked PC in a private (secure) location is an 
example of where no authentication is acceptable. Another case is 
a stand-alone public workstation, such as "mail reading" 
workstations provided at some conferences, on which the data is 
not sensitive to disclosure or modification. 


3.2 Authentication Mechanisms Vulnerable to Passive Attacks 


The simple password check is by far the most common form of 
authentication. Simple authentication checks come in many forms: 
the key may be a password memorized by the user, it may be a 
physical or electronic item possessed by the user, or it may be a 
unique biological feature. Simple authentication systems are said 
to be "disclosing" because if the key is transmitted over a 
network it is disclosed to eavesdroppers. There have been 
widespread reports of successful passive attacks in the current 
Internet using already compromised machines to engage in passive 
attacks against additional machines [CERT94]. Disclosing 
authentication mechanisms are vulnerable to replay attacks. 
Access keys may be stored on the target system, in which case a 
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single breach in system security may gain access to all passwords. 
Alternatively, as on most systems, the data stored on the system 
can be enough to verify passwords but not to generate them. 


3.3 Authentication Mechanisms Vulnerable to Active Attacks 


Non-disclosing password systems have been designed to prevent 
replay attacks. Several systems have been invented to generate 
non-disclosing passwords. For example, the SecurID Card from 
Security Dynamics uses synchronized clocks for authentication 
information. The card generates a visual display and thus must be 
in the possession of the person seeking authentication. The S/Key 
(TM) authentication system developed at Bellcore generates 
multiple single use passwords from a single secret key [Haller94]. 
It does not use a physical token, so it is also suitable for 
machine-machine authentication. In addition there are challenge- 
response systems in which a device or computer program is used to 
generate a verifiable response from a non-repeating challenge. 
S/Key authentication does not require the storage of the user’s 
secret key, which is an advantage when dealing with current 
untrustworthy computing systems. In its current form, the S/Key 
system is vulnerable to a dictionary attack on the secret password 
(pass phrase) which might have been poorly chosen. The Point-to- 
Point Protocol’s CHAP challenge-response system is non-disclosing 
but only useful locally [LS92, Simpson93]. These systems vary in 
the sensitivity of the information stored in the authenticating 
host, and thus vary in the security requirements that must be 
placed on that host. 


3.4 Authentication Mechanisms Not Vulnerable to Active Attacks 


The growing use of networked computing environments has led to the 
need for stronger authentication. In open networks, many users 
can gain access to any information flowing over the network, and 
with additional effort, a user can send information that appears 
to come from another user. 


More powerful authentication systems make use of the computation 
capability of the two authenticating parties. Authentication may 
be unidirectional, for example authenticating users to a host 
computer system, or it may be mutual in which case the entity 
logging in is assured of the identity of the host. Some 
authentication systems use cryptographic techniques and establish 
(as a part of the authentication process) a shared secret (e.g., 
session key) that can be used for further exchanges. For example, 
a user, after completion of the authentication process, might be 
granted an authorization ticket that can be used to obtain other 
services without further authentication. These authentication 
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systems might also provide confidentiality (using encryption) over 
insecure networks when required. 


4. CRYPTOGRAPHY 


Cryptographic mechanisms are widely used to provide authentication, 
either with or without confidentiality, in computer networks and 
internetworks. There are two basic kinds of cryptography and these 
are described in this section. A fundamental and recurring problem 
with cryptographic mechanisms is how to securely distribute keys to 
the communicating parties. Key distribution is addressed in Section 
6 of this document. 


4.1 Symmetric Cryptography 


Symmetric Cryptography includes all systems that use the same key 
for encryption and decryption. Thus if anyone improperly obtains 
the key, they can both decrypt and read data encrypted using that 
key and also encrypt false data and make it appear to be valid. 
This means that knowledge of the key by an undesired third party 
fully compromises the confidentiality of the system. Therefore, 
the keys used need to be distributed securely, either by courier 
or perhaps by use of a key distribution protocol, of which the 
best known is perhaps that proposed by Needham and Schroeder 
[NS78, NS87]. The widely used Data Encryption Standard (DES) 
algorithm, that has been standardized for use to protect 
unclassified civilian US Government information, is perhaps the 
best known symmetric encryption algorithm [NBS77]. 


A well known system that addresses insecure open networks as a 
part of a computing environment is the Kerberos (TM) 
Authentication Service that was developed as part of Project 
Athena at MIT [SNS88, BM91, KN93]. Kerberos is based on Data 
Encryption Standard (DES) symmetric key encryption and uses a 
trusted (third party) host that knows the secret keys of all users 
and services, and thus can generate credentials that can be used 
by users and servers to prove their identities to other systems. 
As with any distributed authentication scheme, these credentials 
will be believed by any computer within the local administrative 
domain or realm. Hence, if a user’s password is disclosed, an 
attacker would be able to masquerade as that user on any system 
which trusts Kerberos. As the Kerberos server knows all secret 
keys, it must be physically secure. Kerberos session keys can be 
used to provide confidentiality between any entities that trust 
the key server. 
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4.2 Asymmetric Cryptography 


In the late 1970s, a major breakthrough in cryptology led to the 
availability of Asymmetric Cryptography. This is different from 
Symmetric Cryptography because different keys are used for 
encryption and decryption, which greatly simplifies the key 
distribution problem. The best known asymmetric system is based 
on work by Rivest, Shamir, and Adleman and is often referred to as 
"RSA" after the authors’ initials [RSA78]. 


SPX is an experimental system that overcomes the limitations of 
the trusted key distribution center of Kerberos by using RSA 
Public Key Cryptography [TA91]. SPX assumes a global hierarchy of 
certifying authorities at least one of which is trusted by each 
party. It uses digital signatures that consist of a token 
encrypted in the private key of the signing entity and that are 
validated using the appropriate public key. The public keys are 
believed to be correct as they are obtained under the signature of 
the trusted certification authority. Critical parts of the 
authentication exchange are encrypted in the public keys of the 
receivers, thus preventing a replay attack. 


4.3 Cryptographic Checksums 


Cryptographic checksums are one of the most useful near term tools 
for protocol designers. A cryptographic checksum or message 
integrity checksum (MIC) provides data integrity and 
authentication but not non-repudiation. For example, Secure SNMP 
and SNMPv2 both calculate a MD5 cryptographic checksum over a 
shared secret item of data and the information to be authenticated 
[Rivest92, GM93]. This serves to authenticate the data origin and 
is believed to be very difficult to forge. It does not 
authenticate that the data being sent is itself valid, only that 
it was actually sent by the party that claims to have sent it. 
Crytographic checksums can be used to provide relatively strong 
authentication and are particularly useful in host-to-host 
communications. The main implementation difficulty with 
cryptographic checksums is key distribution. 


4.4 Digital Signatures 


A digital signature is a cryptographic mechanism which is the 
electronic equivalent of a written signature. It serves to 
authenticate a piece of data as to the sender. A digital 
signature using asymmetric cryptography (Public Key) can also be 
useful in proving that data originated with a party even if the 
party denies having sent it; this property is called non- 
repudiation. A digital signature provides authentication without 
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confidentiality and without incurring some of the difficulties in 
full encryption. Digital signatures are being used with key 
certificates for Privacy Enhanced Mail [Linn93, Kent93, 
Balenson93, Kaliski93]. 


5. USER TO HOST AUTHENTICATION 


There are a number of different approaches to authenticating users to 
remote or networked hosts. Two types of hazard are created by remote 
or networked access: First an intruder can eavesdrop on the network 
and obtain user ids and passwords for a later replay attack. Even the 
form of existing passwords provides a potential intruder with a head 
start in guessing new ones. 


Currently, most systems use plain-text disclosing passwords sent over 
the network (typically using telnet or rlogin) from the user to the 
remote host [Anderson84, Kantor91]. This system does not provide 
adequate protection from replay attacks where an eavesdropper gains 
remote user ids and remote passwords. 


5.1 Protection Against Passive Attack Is Necessary 


Failure to use at least a non-disclosing password system means 
that unlimited access is unintentionally granted to anyone with 
physical access to the network. For example, anyone with physical 
access to the Ethernet cable can impersonate any user on that 
portion of the network. Thus, when one has plain-text disclosing 
passwords on an Ethernet, the primary security system is the guard 
at the door (if any exist). The same problem exists in other LAN 
technologies such as Token-Ring or FDDI. In some small internal 
Local Area Networks (LANs) it may be acceptable to take this risk, 
but it is an unacceptable risk in an Internet [CERT94]. 


The minimal defense against passive attacks, such as 
eavesdropping, is to use a non-disclosing password system. Such a 
system can be run from a dumb terminal or a simple communications 
program (e.g., Crosstalk or PROCOMM) that emulates a dumb terminal 
on a PC class computer. Using a stronger authentication system 
would certainly defend against passive attacks against remotely 
accessed systems, but at the cost of not being able to use simple 
terminals. It is reasonable to expect that the vendors of 
communications programs and non user-programmable terminals (such 
as X-Terminals) would build in non-disclosing password or stronger 
authentication systems if they were standardized or if a large 
market were offered. One of the advantages of Kerberos is that, 
if used properly, the user’s password never leaves the user’s 
workstation. Instead they are used to decrypt the user’s Kerberos 
tickets, which are themselves encrypted information which are sent 
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over the network to application servers. 
5.2 Perimeter Defenses as Short Term Tool 


Perimeter defenses are becoming more common. In these systems, 
the user first authenticates to an entity on an externally 
accessible portion of the network, possibly a "firewall" host on 
the Internet, using a non-disclosing password system. The user 
then uses a second system to authenticate to each host, or group 
of hosts, from which service is desired. This decouples the 
problem into two more easily handled situations. 


There are several disadvantages to the perimeter defense, so it 
should be thought of as a short term solution. The gateway is not 
transparent at the IP level, so it must treat every service 
independently. The use of double authentication is, in general, 
difficult or impossible for computer-computer communication. End 
to end protocols, which are common on the connectionless Internet, 
could easily break. The perimeter defense must be tight and 
complete, because if it is broken, the inner defenses tend to be 
too weak to stop a potential intruder. For example, if disclosing 
passwords are used internally, these passwords can be learned by 
an external intruder (eavesdropping). If that intruder is able to 
penetrate the perimeter, the internal system is completely 
exposed. Finally, a perimeter defense may be open to compromise 
by internal users looking for shortcuts. 


A frequent form of perimeter defense is the application relay. As 
these relays are protocol specific, the IP connectivity of the 
hosts inside the perimeter with the outside world is broken and 
part of the power of the Internet is lost. 


An administrative advantage of the perimeter defense is that the 
number of machines that are on the perimeter and thus vulnerable 
to attack is small. These machines may be carefully checked for 
security hazards, but it is difficult (or impossible) to guarantee 
that the perimeter is leak-proof. The security of a perimeter 
defense is complicated as the gateway machines must pass some 
types of traffic such as electronic mail. Other network services 
such as the Network Time Protocol (NTP) and the File Transfer 
Protocol (FTP) may also be desirable [Mills92, PR85, Bishop]. 
Furthermore, the perimeter gateway system must be able to pass 
without bottleneck the entire traffic load for its security 
domain. 
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5.3 Protection Against Active Attacks Highly Desirable 


In the foreseeable future, the use of stronger techniques will be 
required to protect against active attacks. Many corporate 
networks based on broadcast technology such as Ethernet probably 
need such techniques. To defend against an active attack, or to 
provide privacy, it is necessary to use a protocol with session 
encryption, for example Kerberos, or use an authentication 
mechanism that protects against replay attacks, perhaps using time 
stamps. In Kerberos, users obtain credentials from the Kerberos 
server and use them for authentication to obtain services from 
other computers on the network. The computing power of the local 
workstation can be used to decrypt credentials (using a key 
derived from the user-provided password) and store them until 
needed. If the security protocol relies on synchronized clocks, 
then NTPv3 might be useful because it distributes time amongst a 
large number of computers and is one of the few existing Internet 
protocols that includes authentication mechanisms [Bishop, 
Mills92]. 


Another approach to remotely accessible networks of computers is 
for all externally accessible machines to share a secret with the 
Kerberos KDC. In a sense, this makes these machines "servers" 
instead of general use workstations. This shared secret can then 
be used encrypt all communication between the two machines 
enabling the accessible workstation to relay authentication 
information to the KDC in a secure way. 


Finally, workstations that are remotely accessible could use 
asymmetric cryptographic technology to encrypt communications. 
The workstation’s public key would be published and well known to 
all clients. A user could use the public key to encrypt a simple 
password and the remote system can decrypt the password to 
authenticate the user without risking disclosure of the password 
while it is in transit. A limitation of this workstation-oriented 
security is that it does not authenticate individual users only 
individual workstations. In some environments for example, 
government multi-level secure or compartmented mode workstations, 
user to user authentication and confidentiality is also needed. 


6. KEY DISTRIBUTION & MANAGEMENT 


The discussion thus far has periodically mentioned keys, either for 
encryption or for authentication (e.g., as input to a digital 
signature function). Key management is perhaps the hardest problem 
faced when seeking to provide authentication in large internetworks. 
Hence this section provides a very brief overview of key management 
technology that might be used. 
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The Needham & Schroeder protocol, which is used by Kerberos, relies 
on a central key server. Ina large internetwork, there would need 
to be significant numbers of these key servers, at least one key 
server per administrative domain. There would also need to be 
mechanisms for separately administered key servers to cooperate in 
generating a session key for parties in different administrative 
domains. These are not impossible problems, but this approach 
clearly involves significant infrastructure changes. 


Most public-key encryption algorithms are computationally expensive 
and so are not ideal for encrypting packets in a network. However, 
the asymmetric property makes them very useful for setup and exchange 
of symmetric session keys. In practice, the commercial sector 
probably uses asymmetric algorithms primarily for digital signatures 
and key exchange, but not for bulk data encryption. Both RSA and the 
Diffie-Hellman techniques can be used for this [DH76]. One advantage 
of using asymmetric techniques is that the central key server can be 
eliminated. The difference in key management techniques is perhaps 
the primary difference between Kerberos and SPX. Privacy Enhanced 
Mail has trusted key authorities use digital signatures to sign and 
authenticate the public keys of users [Kent93]. The result of this 
operation is a key certificates which contains the public key of some 
party and authentication that the public key in fact belongs to that 
party. Key certificates can be distributed in many ways. One way to 
distribute key certificates might be to add them to existing 
directory services, for example by extending the existing Domain Name 
System to hold each host’s the key certificate in a new record type. 


For multicast sessions, key management is harder because the number 
of exchanges required by the widely used techniques is proportional 


to the number of participating parties. Thus there is a serious 
scaling problem with current published multicast key management 
techniques. 


Finally, key management mechanisms described in the public literature 
have a long history of subtle flaws. There is ample evidence of 
this, even for well-known techniques such as the Needham & Schroeder 
protocol [NS78, NS87]. In some cases, subtle flaws have only become 
known after formal methods techniques were used in an attempt to 
verify the protocol. Hence, it is highly desirable that key 
management mechanisms be kept separate from authentication or 
encryption mechanisms as much as is possible. For example, it is 
probably better to have a key management protocol that is distinct 
from and does not depend upon another security protocol. 
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7. 


AUTHENTICATION OF NETWORK SERVICES 


In addition to needing to authenticate users and hosts to each other, 
many network services need or could benefit from authentication. 

This section describes some approaches to authentication in protocols 
that are primarily host to host in orientation. As in the user to 
host authentication case, there are several techniques that might be 
considered. 


The most common case at present is to not have any authentication 
support in the protocol. Bellovin and others have documented a 
number of cases where existing protocols can be used to attack a 
remote machine because there is no authentication in the protocols 
[Bellovin89]. 


Some protocols provide for disclosing passwords to be passed along 
with the protocol information. The original SNMP protocols used this 
method and a number of the routing protocols continue to use this 
method [Moy91, LR91, CFSD88]. This method is useful as a 
transitional aid to slightly increase security and might be 
appropriate when there is little risk in having a completely insecure 
protocol. 


There are many protocols that need to support stronger authentication 
mechanisms. For example, there was widespread concern that SNMP 
needed stronger authentication than it originally had. This led to 
the publication of the Secure SNMP protocols which support optional 
authentication, using a digital signature mechanism, and optional 
confidentiality, using DES encryption. The digital signatures used 
in Secure SNMP are based on appending a cryptographic checksum to the 
SNMP information. The cryptographic checksum is computed using the 
MD5 algorithm and a secret shared between the communicating parties 
so is believed to be difficult to forge or invert. 


Digital signature technology has evolved in recent years and should 
be considered for applications requiring authentication but not 
confidentiality. Digital signatures may use a single secret shared 
among two or more communicating parties or it might be based on 
asymmetric encryption technology. The former case would require the 
use of predetermined keys or the use of a secure key distribution 
protocol, such as that devised by Needham and Schroeder. In the 
latter case, the public keys would need to be distributed in an 
authenticated manner. If a general key distribution mechanism were 
available, support for optional digital signatures could be added to 
most protocols with little additional expense. Each protocol could 
address the key exchange and setup problem, but that might make 
adding support for digital signatures more complicated and 
effectively discourage protocol designers from adding digital 
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signature support. 


For cases where both authentication and confidentiality are required 
on a host-to-host basis, session encryption could be employed using 
symmetric cryptography, asymmetric cryptography, or a combination of 
both. Use of the asymmetric cryptography simplifies key management. 
Each host would encrypt the information while in transit between 
hosts and the existing operating system mechanisms would provide 
protection within each host. 


In some cases, possibly including electronic mail, it might be 
desirable to provide the security properties within the application 
itself in a manner that was truly user-to-user rather than being 
host-to-host. The Privacy Enhanced Mail (PEM) work is employing this 
approach [Linn93, Kent93, Balenson93, Kaliski93]. The recent IETF 
work on Common Authentication Technology might make it easier to 
implement a secure distributed or networked application through use 
of standard security programming interfaces [Linn93a]. 


8. FUTURE DIRECTIONS 


Systems are moving towards the cryptographically stronger 
authentication mechanisms described earlier. This move has two 
implications for future systems. We can expect to see the 
introduction of non-disclosing authentication systems in the near 
term and eventually see more widespread use of public key crypto- 
systems. Session authentication, integrity, and privacy issues are 
growing in importance. As computer-to-computer communication becomes 
more important, protocols that provide simple human interfaces will 
become less important. This is not to say that human interfaces are 
unimportant; they are very important. It means that these interfaces 
are the responsibility of the applications, not the underlying 
protocol. Human interface design is beyond the scope of this memo. 


The use of public key crypto-systems for user-to-host authentication 
simplifies many security issues, but unlike simple passwords, a 
public key cannot be memorized. As of this writing, public key sizes 
of at least 500 bits are commonly used in the commercial world. It 
is likely that larger key sizes will be used in the future. Thus, 
users might have to carry their private keys in some electrically 
readable form. The use of read-only storage, such as a floppy disk 
or a magnetic stripe card provides such storage, but it might require 
the user to trust their private keys to the reading device. Use of a 
smart card, a portable device containing both storage and program 
might be preferable. These devices have the potential to perform the 
authenticating operations without divulging the private key they 
contain. They can also interact with the user requiring a simpler 
form of authentication to "unlock" the card. 
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The use of public key crypto-systems for host-to-host authentication 
appears not to have the same key memorization problem as the user- 
to-host case does. A multiuser host can store its key(s) in space 
protected from users and obviate that problem. Single user 
inherently insecure systems, such as PCs and Macintoshes, remain 
difficult to handle but the smart card approach should also work for 
them. 


If one considers existing symmetric algorithms to be 1-key 
techniques, and existing asymmetric algorithms such as RSA to be 2- 
key techniques, one might wonder whether N-key techniques will be 
developed in the future (i.e., for values of N larger than 2). If 
such N-key technology existed, it might be useful in creating 
scalable multicast key distribution protocols. There is work 
currently underway examining the possible use of the Core Based Tree 
(CBT) multicast routing technology to provide scalable multicast key 
distribution [BFC93]. 


The implications of this taxonomy are clear. Strong cryptographic 
authentication is needed in the near future for many protocols. 
Public key technology should be used when it is practical and cost- 
effective. In the short term, authentication mechanisms vulnerable 
to passive attack should be phased out in favour of stronger 
authentication mechanisms. Additional research is needed to develop 
improved key management technology and scalable multicast security 
mechanisms. 


SECURITY CONSIDERATIONS 


This entire memo discusses Security Considerations in that it 
discusses authentication technologies and needs. 
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